Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Paris, France, January 2002

Overview 1 Problem Description 2 STUN: Using Legacy Equipment 3 TURN: Fixing Remaining Problems 4 UPnP: Remote Control for Routers 5 Application Layer Gateways 6 Remaining Problems & Solutions

Which information does a client has to set up for port forwarding in NAT equipment? Router needs information where to send packets in private network Map port to private address and port By default packets will be rejected or sent to DMZ Router needs hint for security checking Accept packets from any destination Accept packets only from associated host Accept packets only from associated host and port 123.123.123.123 192.168.0.1 Client Client Router

How did other applications solve the problem? HTTP, telnet, … Using TCP DNS, others “Digging holes”: Set up association when client sends out packet from unmapped port for 15-60 seconds Security policy hardwired by vendor Some offer a DNS proxy (application layer gateway) ftp Does not work! Inexperienced users use http instead Some routers offer applications layer gateway Heterogeneous environment Every vendor does it in a different way “Digging holes” is common denominator

snom STUN uses the digging hole trick to set up port associations Initialization procedure checks environment Goal: Check if STUN is needed Type of NAT does actually not really matter because user is not interested in failure reason SIP port kept alive by sending packets every 15-60 s RTP ports are allocated dynamically when starting a call Otherwise keep-alive traffic would be double RTCP port can not be allocated because next port allocation is unlikely Long ringing and putting caller on hold is problematic (no port refresh during this time)

In cases when NAT is symmetrical, TURN could be a solution 124.124.124.124 123.123.123.123 192.168.0.1 3. SIP/Media Client 2. Activate Request/Response 1. Allocate Request/Response Client STUN/TURN Server Router

TURN works in symmetrical NAT environment, but has too many problems Scalability TURN server becomes “media server” Every call generates about 50 packets per second Delay Sending packets over media server increases transport delay significantly E.g. local call in Tokyo when TURN server is in Frankfurt TURN specification Needs rework (activation message not defined)

UPnP is the right approach Generic protocol to allocate ports on router Works with SIP, can be used with other applications as well Can be integrated with firewalls Not too hard to implement Microsoft Messenger uses UPnP “De facto standard” Virtually all DSL router vendors offer UPnP now Problem: Old Equipment Use STUN Maybe use TURN, even if call duration is terrible Instruct customers to set up ports manually

With the increasing availability of UPnP, most home customers can be addressed 2002 2003 STUN STUN UPnP Software Updates New Equipment UPnP Illustrative

Application layer gateways (ALG) solve the problem in the business area Business customers have different requirements than home users Many phones Want to run proxies, media servers, application servers behind their firewall These applications probably will not have UPnP or STUN Therefore, firewalls will probably include SIP-aware ALG Sample SIP NAT ALG available from snom

Calling phones in the same network requires ancillary information 1a) Phone A sends to public address of B 1b) Router will not forward packet, call will fail 2) A knows B is in the same NAT and sends packet to private address instead

Ancillary information must be placed in contact URI and in SDP INVITE sip:info1@snomag.de SIP/2.0 Via: SIP/2.0/UDP 218.230.0.59:5060;branch=z9hG4bK-6rms4e9tmtsz Max-Forwards: 70 From: <sip:abc@snomag.de>;tag=16z5zw9lqt To: <sip:info1@snomag.de> Call-ID: 0000a4f95f24-zzt41v6ulesj@218.230.0.59 CSeq: 1 INVITE Contact: <sip:abc@218.230.0.59:5060;srcadr=192.168.0.4%3A5060;transport=udp;line=1> Content-Type: application/sdp Content-Length: 311 v=0 o=root 19211 19211 IN IP4 218.230.0.59 s=SIP Call c=IN IP4 218.230.0.59 t=0 0 m=audio 10004 RTP/AVP 0 101 a=rtpmap:0 pcmu/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=x-private:192.168.0.4:10004 218.230.0.59:10004

Multi-tier NAT requires a list of private addresses STUN 123.123.123.123 NAT1 When using STUN, a STUN server is required between the layers STUN 10.0.0.1 10.0.0.2 10.0.0.3 NAT2 NAT3 192.168.0.1 192.168.0.1 Phone A Phone B 192.168.0.2 192.168.0.2 A has three identities: 1. 192.168.0.2:5060 2. 10.0.0.2:1234 3. 123.123.123.123:5678 B has three identities: 1. 192.168.0.2:5060 2. 10.0.0.3:1234 3. 123.123.123.123:5679

How should a phone boot up? Try UPnP UPnP available No response (5 seconds) or not available Use UPnP This step can be done even without STUN, as the registrar returns the response quick Try to Register No problem: either public address, ALG or total private environment Registrar complains about private address Use STUN Use Given Identity

sip:info@snomag.de

© 2002 snom technology Aktiengesellschaft Written by: Dr. Christian Stredicke Version: 1.0 The author has made his best effort to prepare this document. The content is based upon latest information whenever possible. The author makes no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this document. For more information, mail info@snom.de, Pascalstr. 10E, 10587 Berlin, Germany.